1scap-security-guide(8) System Manager's Manual scap-security-guide(8)
2
6 SCAP Security Guide - Delivers security guidance, baselines, and asso‐
7 ciated validation mechanisms utilizing the Security Content Automation
8 Protocol (SCAP).
9
13 The project provides practical security hardening advice for Red Hat
14 products, and also links it to compliance requirements in order to ease
15 deployment activities, such as certification and accreditation. These
16 include requirements in the U.S. government (Federal, Defense, and
17 Intelligence Community) as well as of the financial services and health
18 care industries. For example, high-level and widely-accepted policies
19 such as NIST 800-53 provides prose stating that System Administrators
20 must audit "privileged user actions," but do not define what "privi‐
21 leged actions" are. The SSG bridges the gap between generalized policy
22 requirements and specific implementation guidance, in SCAP formats to
23 support automation whenever possible.
24 The projects homepage is located at: https://www.open-scap.org/secu‐
26 rity-policies/scap-security-guide
27
31 Source Datastream: ssg-centos6-ds.xml
32 The Guide to the Secure Configuration of Red Hat Enterprise Linux 6 is
34 broken into 'profiles', groupings of security settings that correlate
35 to a known policy. Available profiles are:
36 Standard System Security Profile for Red Hat Enterprise Linux 6
40 Profile ID: xccdf_org.ssgproject.content_profile_standard
42 This profile contains rules to ensure standard security baseline
44 of a Red Hat Enterprise Linux 6 system. Regardless of your sys‐
45 tem's workload all of these checks should pass.
46 Desktop Baseline
49 Profile ID: xccdf_org.ssgproject.content_profile_desktop
51 This profile is for a desktop installation of Red Hat Enterprise
53 Linux 6.
54 Server Baseline
57 Profile ID: xccdf_org.ssgproject.content_profile_server
59 This profile is for Red Hat Enterprise Linux 6 acting as a
61 server.
62 PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 6
65 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
67 This is a *draft* profile for PCI-DSS v3.
69
75 Source Datastream: ssg-centos7-ds.xml
76 The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is
78 broken into 'profiles', groupings of security settings that correlate
79 to a known policy. Available profiles are:
80 Standard System Security Profile for Red Hat Enterprise Linux 7
84 Profile ID: xccdf_org.ssgproject.content_profile_standard
86 This profile contains rules to ensure standard security baseline
88 of a Red Hat Enterprise Linux 7 system. Regardless of your sys‐
89 tem's workload all of these checks should pass.
90 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
93 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
95 Ensures PCI-DSS v3.2.1 security configuration settings are
97 applied.
98
104 Source Datastream: ssg-centos8-ds.xml
105 The Guide to the Secure Configuration of Red Hat Enterprise Linux 8 is
107 broken into 'profiles', groupings of security settings that correlate
108 to a known policy. Available profiles are:
109 Standard System Security Profile for Red Hat Enterprise Linux 8
113 Profile ID: xccdf_org.ssgproject.content_profile_standard
115 This profile contains rules to ensure standard security baseline
117 of a Red Hat Enterprise Linux 8 system. Regardless of your sys‐
118 tem's workload all of these checks should pass.
119 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
122 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
124 Ensures PCI-DSS v3.2.1 security configuration settings are
126 applied.
127
133 Source Datastream: ssg-chromium-ds.xml
134 The Guide to the Secure Configuration of Chromium is broken into 'pro‐
136 files', groupings of security settings that correlate to a known pol‐
137 icy. Available profiles are:
138 Upstream STIG for Google Chromium
142 Profile ID: xccdf_org.ssgproject.content_profile_stig
144 This profile is developed under the DoD consensus model and DISA
146 FSO Vendor STIG process, serving as the upstream development
147 environment for the Google Chromium STIG.
148 As a result of the upstream/downstream relationship between the
150 SCAP Security Guide project and the official DISA FSO STIG base‐
151 line, users should expect variance between SSG and DISA FSO con‐
152 tent. For official DISA FSO STIG content, refer to
153 http://iase.disa.mil/stigs/app-security/browser-guid‐
154 ance/Pages/index.aspx.
155 While this profile is packaged by Red Hat as part of the SCAP
157 Security Guide package, please note that commercial support of
158 this SCAP content is NOT available. This profile is provided as
159 example SCAP content with no endorsement for suitability or pro‐
160 duction readiness. Support for this profile is provided by the
161 upstream SCAP Security Guide community on a best-effort basis.
162 The upstream project homepage is https://www.open-scap.org/secu‐
163 rity-policies/scap-security-guide/.
164
170 Source Datastream: ssg-debian8-ds.xml
171 The Guide to the Secure Configuration of Debian 8 is broken into 'pro‐
173 files', groupings of security settings that correlate to a known pol‐
174 icy. Available profiles are:
175 Standard System Security Profile for Debian 8
179 Profile ID: xccdf_org.ssgproject.content_profile_standard
181 This profile contains rules to ensure standard security baseline
183 of a Debian 8 system. Regardless of your system's workload all
184 of these checks should pass.
185 Profile for ANSSI DAT-NT28 Restrictive Level
188 Profile ID: xccdf_org.ssgproject.content_pro‐
190 file_anssi_np_nt28_restrictive
191 This profile contains items for GNU/Linux installations exposed
193 to unauthenticated flows or multiple sources.
194 Profile for ANSSI DAT-NT28 Minimal Level
197 Profile ID: xccdf_org.ssgproject.content_pro‐
199 file_anssi_np_nt28_minimal
200 This profile contains items to be applied systematically.
202 Profile for ANSSI DAT-NT28 High (Enforced) Level
205 Profile ID: xccdf_org.ssgproject.content_pro‐
207 file_anssi_np_nt28_high
208 This profile contains items for GNU/Linux installations storing
210 sensitive informations that can be accessible from unauthenti‐
211 cated or uncontroled networks.
212 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
215 Profile ID: xccdf_org.ssgproject.content_pro‐
217 file_anssi_np_nt28_average
218 This profile contains items for GNU/Linux installations already
220 protected by multiple higher level security stacks.
221
227 Source Datastream: ssg-eap6-ds.xml
228 The Guide to the Secure Configuration of JBoss EAP 6 is broken into
230 'profiles', groupings of security settings that correlate to a known
231 policy. Available profiles are:
232 STIG for JBoss Enterprise Application Platform 6
236 Profile ID: xccdf_org.ssgproject.content_profile_stig
238 This is a *draft* profile for STIG. This profile is being devel‐
240 oped under the DoD consensus model to become a STIG in coordina‐
241 tion with DISA FSO.
242
248 Source Datastream: ssg-fedora-ds.xml
249 The Guide to the Secure Configuration of Fedora is broken into 'pro‐
251 files', groupings of security settings that correlate to a known pol‐
252 icy. Available profiles are:
253 Standard System Security Profile for Fedora
257 Profile ID: xccdf_org.ssgproject.content_profile_standard
259 This profile contains rules to ensure standard security baseline
261 of a Fedora system. Regardless of your system's workload all of
262 these checks should pass.
263 OSPP - Protection Profile for General Purpose Operating Systems
266 Profile ID: xccdf_org.ssgproject.content_profile_ospp
268 This profile reflects mandatory configuration controls identi‐
270 fied in the NIAP Configuration Annex to the Protection Profile
271 for General Purpose Operating Systems (Protection Profile Ver‐
272 sion 4.2).
273 As Fedora OS is moving target, this profile does not guarantee
275 to provide security levels required from US National Security
276 Systems. Main goal of the profile is to provide Fedora develop‐
277 ers with hardened environment similar to the one mandated by US
278 National Security Systems.
279 PCI-DSS v3 Control Baseline for Fedora
282 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
284 Ensures PCI-DSS v3 related security configuration settings are
286 applied.
287
293 Source Datastream: ssg-firefox-ds.xml
294 The Guide to the Secure Configuration of Firefox is broken into 'pro‐
296 files', groupings of security settings that correlate to a known pol‐
297 icy. Available profiles are:
298 Upstream Firefox STIG
302 Profile ID: xccdf_org.ssgproject.content_profile_stig
304 This profile is developed under the DoD consensus model and DISA
306 FSO Vendor STIG process, serving as the upstream development
307 environment for the Firefox STIG.
308 As a result of the upstream/downstream relationship between the
310 SCAP Security Guide project and the official DISA FSO STIG base‐
311 line, users should expect variance between SSG and DISA FSO con‐
312 tent. For official DISA FSO STIG content, refer to
313 http://iase.disa.mil/stigs/app-security/browser-guid‐
314 ance/Pages/index.aspx.
315 While this profile is packaged by Red Hat as part of the SCAP
317 Security Guide package, please note that commercial support of
318 this SCAP content is NOT available. This profile is provided as
319 example SCAP content with no endorsement for suitability or pro‐
320 duction readiness. Support for this profile is provided by the
321 upstream SCAP Security Guide community on a best-effort basis.
322 The upstream project homepage is https://www.open-scap.org/secu‐
323 rity-policies/scap-security-guide/.
324
330 Source Datastream: ssg-fuse6-ds.xml
331 The Guide to the Secure Configuration of JBoss Fuse 6 is broken into
333 'profiles', groupings of security settings that correlate to a known
334 policy. Available profiles are:
335 Standard System Security Profile for JBoss
339 Profile ID: xccdf_org.ssgproject.content_profile_standard
341 This profile contains rules to ensure standard security baseline
343 of JBoss Fuse. Regardless of your system's workload all of these
344 checks should pass.
345 STIG for Apache ActiveMQ
348 Profile ID: xccdf_org.ssgproject.content_profile_amq-stig
350 This is a *draft* profile for STIG. This profile is being devel‐
352 oped under the DoD consensus model to become a STIG in coordina‐
353 tion with DISA FSO.
354 STIG for JBoss Fuse 6
357 Profile ID: xccdf_org.ssgproject.content_profile_stig
359 This is a *draft* profile for STIG. This profile is being devel‐
361 oped under the DoD consensus model to become a STIG in coordina‐
362 tion with DISA FSO.
363
369 Source Datastream: ssg-jre-ds.xml
370 The Guide to the Secure Configuration of Java Runtime Environment is
372 broken into 'profiles', groupings of security settings that correlate
373 to a known policy. Available profiles are:
374 Java Runtime Environment (JRE) STIG
378 Profile ID: xccdf_org.ssgproject.content_profile_stig
380 The Java Runtime Environment (JRE) is a bundle developed and
382 offered by Oracle Corporation which includes the Java Virtual
383 Machine (JVM), class libraries, and other components necessary
384 to run Java applications and applets. Certain default settings
385 within the JRE pose a security risk so it is necessary to deploy
386 system wide properties to ensure a higher degree of security
387 when utilizing the JRE.
388 The IBM Corporation also develops and bundles the Java Runtime
390 Environment (JRE) as well as Red Hat with OpenJDK.
391
397 Platform 3
398 Source Datastream: ssg-ocp3-ds.xml
399 The Guide to the Secure Configuration of Red Hat OpenShift Container
401 Platform 3 is broken into 'profiles', groupings of security settings
402 that correlate to a known policy. Available profiles are:
403 Open Computing Information Security Profile for OpenShift Node
407 Profile ID: xccdf_org.ssgproject.content_profile_opencis-node
409 This baseline was inspired by the Center for Internet Security
411 (CIS) Kubernetes Benchmark, v1.2.0 - 01-31-2017.
412 For the ComplianceAsCode project to remain in compliance with
414 CIS' terms and conditions, specifically Restrictions(8), note
415 there is no representation or claim that the OpenCIS profile
416 will ensure a system is in compliance or consistency with the
417 CIS baseline.
418 Open Computing Information Security Profile for OpenShift Master Node
421 Profile ID: xccdf_org.ssgproject.content_profile_opencis-master
423 This baseline was inspired by the Center for Internet Security
425 (CIS) Kubernetes Benchmark, v1.2.0 - 01-31-2017.
426 For the ComplianceAsCode project to remain in compliance with
428 CIS' terms and conditions, specifically Restrictions(8), note
429 there is no representation or claim that the OpenCIS profile
430 will ensure a system is in compliance or consistency with the
431 CIS baseline.
432
438 Source Datastream: ssg-ol7-ds.xml
439 The Guide to the Secure Configuration of Oracle Linux 7 is broken into
441 'profiles', groupings of security settings that correlate to a known
442 policy. Available profiles are:
443 Standard System Security Profile for Oracle Linux 7
447 Profile ID: xccdf_org.ssgproject.content_profile_standard
449 This profile contains rules to ensure standard security baseline
451 of Oracle Linux 7 system. Regardless of your system's workload
452 all of these checks should pass.
453 DRAFT - DISA STIG for Oracle Linux 7
456 Profile ID: xccdf_org.ssgproject.content_profile_stig
458 This is a *draft* profile for STIG for Oracle Linux 7.
460 Security Profile of Oracle Linux 7 for SAP
463 Profile ID: xccdf_org.ssgproject.content_profile_sap
465 This profile contains rules for Oracle Linux 7 Operating System
467 in compliance with SAP note 2069760 and SAP Security Baseline
468 Template version 1.9 Item I-8 and section 4.1.2.2. Regardless
469 of your system's workload all of these checks should pass.
470 PCI-DSS v3 Control Baseline Draft for Oracle Linux 7
473 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
475 Ensures PCI-DSS v3 related security configuration settings are
477 applied.
478
484 Source Datastream: ssg-ol8-ds.xml
485 The Guide to the Secure Configuration of Oracle Linux 8 is broken into
487 'profiles', groupings of security settings that correlate to a known
488 policy. Available profiles are:
489 Health Insurance Portability and Accountability Act (HIPAA)
493 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
495 The HIPAA Security Rule establishes U.S. national standards to
497 protect individuals’ electronic personal health information that
498 is created, received, used, or maintained by a covered entity.
499 The Security Rule requires appropriate administrative, physical
500 and technical safeguards to ensure the confidentiality,
501 integrity, and security of electronic protected health informa‐
502 tion.
503 This profile configures Oracle Linux 8 to the HIPAA Security
505 Rule identified for securing of electronic protected health
506 information.
507 Criminal Justice Information Services (CJIS) Security Policy
510 Profile ID: xccdf_org.ssgproject.content_profile_cjis
512 This profile is derived from FBI's CJIS v5.4 Security Policy. A
514 copy of this policy can be found at the CJIS Security Policy
515 Resource Center:
516 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
518 center
519 Standard System Security Profile for Oracle Linux 8
522 Profile ID: xccdf_org.ssgproject.content_profile_standard
524 This profile contains rules to ensure standard security baseline
526 of Oracle Linux 8 system. Regardless of your system's workload
527 all of these checks should pass.
528 Unclassified Information in Non-federal Information Systems and Organi‐
531 zations (NIST 800-171)
532 Profile ID: xccdf_org.ssgproject.content_profile_cui
534 From NIST 800-171, Section 2.2: Security requirements for pro‐
536 tecting the confidentiality of CUI in nonfederal information
537 systems and organizations have a well-defined structure that
538 consists of:
539 (i) a basic security requirements section; (ii) a derived secu‐
541 rity requirements section.
542 The basic security requirements are obtained from FIPS Publica‐
544 tion 200, which provides the high-level and fundamental security
545 requirements for federal information and information systems.
546 The derived security requirements, which supplement the basic
547 security requirements, are taken from the security controls in
548 NIST Special Publication 800-53.
549 This profile configures Oracle Linux 8 to the NIST Special Pub‐
551 lication 800-53 controls identified for securing Controlled
552 Unclassified Information (CUI).
553 [DRAFT] OSPP - Protection Profile for General Purpose Operating Systems
556 Profile ID: xccdf_org.ssgproject.content_profile_ospp
558 This profile reflects mandatory configuration controls identi‐
560 fied in the NIAP Configuration Annex to the Protection Profile
561 for General Purpose Operating Systems (Protection Profile Ver‐
562 sion 4.2).
563 This profile is currently under review. Use of this profile does
565 not denote or guarantee NIAP approval or certification until
566 this profile has been approved by NIAP.
567 PCI-DSS v3 Control Baseline Draft for Oracle Linux 8
570 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
572 Ensures PCI-DSS v3 related security configuration settings are
574 applied.
575
581 Source Datastream: ssg-opensuse-ds.xml
582 The Guide to the Secure Configuration of openSUSE is broken into 'pro‐
584 files', groupings of security settings that correlate to a known pol‐
585 icy. Available profiles are:
586 Standard System Security Profile for openSUSE
590 Profile ID: xccdf_org.ssgproject.content_profile_standard
592 This profile contains rules to ensure standard security baseline
594 of an openSUSE system. Regardless of your system's workload all
595 of these checks should pass.
596
602 Source Datastream: ssg-rhel6-ds.xml
603 The Guide to the Secure Configuration of Red Hat Enterprise Linux 6 is
605 broken into 'profiles', groupings of security settings that correlate
606 to a known policy. Available profiles are:
607 CSCF RHEL6 MLS Core Baseline
611 Profile ID: xccdf_org.ssgproject.content_profile_CSCF-RHEL6-MLS
613 This profile reflects the Centralized Super Computing Facility
615 (CSCF) baseline for Red Hat Enterprise Linux 6. This baseline
616 has received government ATO through the ICD 503 process, utiliz‐
617 ing the CNSSI 1253 cross domain overlay. This profile should be
618 considered in active development. Additional tailoring will be
619 needed, such as the creation of RBAC roles for production
620 deployment.
621 C2S for Red Hat Enterprise Linux 6
624 Profile ID: xccdf_org.ssgproject.content_profile_C2S
626 This profile demonstrates compliance against the U.S. Government
628 Commercial Cloud Services (C2S) baseline. nThis baseline was
629 inspired by the Center for Internet Security (CIS) Red Hat
630 Enterprise Linux 6 Benchmark, v1.2.0 - 06-25-2013. For the SCAP
631 Security Guide project to remain in compliance with CIS' terms
632 and conditions, specifically Restrictions(8), note there is no
633 representation or claim that the C2S profile will ensure a sys‐
634 tem is in compliance or consistency with the CIS baseline.
635 Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
638 Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp
640 This is a *draft* SCAP profile for Red Hat Certified Cloud
642 Providers
643 Standard System Security Profile for Red Hat Enterprise Linux 6
646 Profile ID: xccdf_org.ssgproject.content_profile_standard
648 This profile contains rules to ensure standard security baseline
650 of a Red Hat Enterprise Linux 6 system. Regardless of your sys‐
651 tem's workload all of these checks should pass.
652 Desktop Baseline
655 Profile ID: xccdf_org.ssgproject.content_profile_desktop
657 This profile is for a desktop installation of Red Hat Enterprise
659 Linux 6.
660 Example Server Profile
663 Profile ID: xccdf_org.ssgproject.content_profile_CS2
665 This profile is an example of a customized server profile.
667 FTP Server Profile (vsftpd)
670 Profile ID: xccdf_org.ssgproject.content_profile_ftp-server
672 This is a profile for the vsftpd FTP server.
674 CNSSI 1253 Low/Low/Low Control Baseline
677 Profile ID: xccdf_org.ssgproject.content_profile_nist-CL-IL-AL
679 This profile follows the Committee on National Security Systems
681 Instruction (CNSSI) No. 1253, "Security Categorization and Con‐
682 trol Selection for National Security Systems" on security con‐
683 trols to meet low confidentiality, low integrity, and low assur‐
684 ance.
685 FISMA Medium for Red Hat Enterprise Linux 6
688 Profile ID: xccdf_org.ssgproject.content_profile_fisma-medium-
690 rhel6-server
691 FISMA Medium for Red Hat Enterprise Linux 6.
693 Server Baseline
696 Profile ID: xccdf_org.ssgproject.content_profile_server
698 This profile is for Red Hat Enterprise Linux 6 acting as a
700 server.
701 DISA STIG for Red Hat Enterprise Linux 6
704 Profile ID: xccdf_org.ssgproject.content_profile_stig
706 This profile contains configuration checks that align to the
708 DISA STIG for Red Hat Enterprise Linux 6.
709 In addition to being applicable to RHEL6, DISA recognizes this
711 configuration baseline as applicable to the operating system
712 tier of Red Hat technologies that are based off RHEL6, such as
713 RHEL Server, RHV-H, RHEL for HPC, RHEL Workstation, and Red Hat
714 Storage deployments.
715 United States Government Configuration Baseline (USGCB)
718 Profile ID: xccdf_org.ssgproject.content_profile_usgcb-
720 rhel6-server
721 This profile is a working draft for a USGCB submission against
723 RHEL6 Server.
724 PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 6
727 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
729 This is a *draft* profile for PCI-DSS v3.
731
737 Source Datastream: ssg-rhel7-ds.xml
738 The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is
740 broken into 'profiles', groupings of security settings that correlate
741 to a known policy. Available profiles are:
742 Health Insurance Portability and Accountability Act (HIPAA)
746 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
748 The HIPAA Security Rule establishes U.S. national standards to
750 protect individuals’ electronic personal health information that
751 is created, received, used, or maintained by a covered entity.
752 The Security Rule requires appropriate administrative, physical
753 and technical safeguards to ensure the confidentiality,
754 integrity, and security of electronic protected health informa‐
755 tion.
756 This profile configures Red Hat Enterprise Linux 7 to the HIPAA
758 Security Rule identified for securing of electronic protected
759 health information.
760 C2S for Red Hat Enterprise Linux 7
763 Profile ID: xccdf_org.ssgproject.content_profile_C2S
765 This profile demonstrates compliance against the U.S. Government
767 Commercial Cloud Services (C2S) baseline.
768 This baseline was inspired by the Center for Internet Security
770 (CIS) Red Hat Enterprise Linux 7 Benchmark, v2.1.1 - 01-31-2017.
771 For the SCAP Security Guide project to remain in compliance with
773 CIS' terms and conditions, specifically Restrictions(8), note
774 there is no representation or claim that the C2S profile will
775 ensure a system is in compliance or consistency with the CIS
776 baseline.
777 Criminal Justice Information Services (CJIS) Security Policy
780 Profile ID: xccdf_org.ssgproject.content_profile_cjis
782 This profile is derived from FBI's CJIS v5.4 Security Policy. A
784 copy of this policy can be found at the CJIS Security Policy
785 Resource Center:
786 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
788 center
789 Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
792 Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp
794 This profile contains the minimum security relevant configura‐
796 tion settings recommended by Red Hat, Inc for Red Hat Enterprise
797 Linux 7 instances deployed by Red Hat Certified Cloud Providers.
798 Standard System Security Profile for Red Hat Enterprise Linux 7
801 Profile ID: xccdf_org.ssgproject.content_profile_standard
803 This profile contains rules to ensure standard security baseline
805 of a Red Hat Enterprise Linux 7 system. Regardless of your sys‐
806 tem's workload all of these checks should pass.
807 [DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host
810 (RHELH)
811 Profile ID: xccdf_org.ssgproject.content_profile_rhelh-stig
813 This *draft* profile contains configuration checks that align to
815 the DISA STIG for Red Hat Enterprise Linux Virtualization Host
816 (RHELH).
817 Unclassified Information in Non-federal Information Systems and Organi‐
820 zations (NIST 800-171)
821 Profile ID: xccdf_org.ssgproject.content_profile_cui
823 From NIST 800-171, Section 2.2: Security requirements for pro‐
825 tecting the confidentiality of CUI in non-federal information
826 systems and organizations have a well-defined structure that
827 consists of:
828 (i) a basic security requirements section; (ii) a derived secu‐
830 rity requirements section.
831 The basic security requirements are obtained from FIPS Publica‐
833 tion 200, which provides the high-level and fundamental security
834 requirements for federal information and information systems.
835 The derived security requirements, which supplement the basic
836 security requirements, are taken from the security controls in
837 NIST Special Publication 800-53.
838 This profile configures Red Hat Enterprise Linux 7 to the NIST
840 Special Publication 800-53 controls identified for securing Con‐
841 trolled Unclassified Information (CUI).
842 United States Government Configuration Baseline
845 Profile ID: xccdf_org.ssgproject.content_profile_ospp
847 This compliance profile reflects the core set of security
849 related configuration settings for deployment of Red Hat Enter‐
850 prise Linux 7.x into U.S. Defense, Intelligence, and Civilian
851 agencies. Development partners and sponsors include the U.S.
852 National Institute of Standards and Technology (NIST), U.S.
853 Department of Defense, the National Security Agency, and Red
854 Hat.
855 This baseline implements configuration requirements from the
857 following sources:
858 - Committee on National Security Systems Instruction No. 1253
860 (CNSSI 1253) - NIST Controlled Unclassified Information (NIST
861 800-171) - NIST 800-53 control selections for MODERATE impact
862 systems (NIST 800-53) - U.S. Government Configuration Baseline
863 (USGCB) - NIAP Protection Profile for General Purpose Operating
864 Systems v4.0 (OSPP v4.0) - DISA Operating System Security
865 Requirements Guide (OS SRG)
866 For any differing configuration requirements, e.g. password
868 lengths, the stricter security setting was chosen. Security
869 Requirement Traceability Guides (RTMs) and sample System Secu‐
870 rity Configuration Guides are provided via the scap-security-
871 guide-docs package.
872 This profile reflects U.S. Government consensus content and is
874 developed through the OpenSCAP/SCAP Security Guide initiative,
875 championed by the National Security Agency. Except for differ‐
876 ences in formatting to accommodate publishing processes, this
877 profile mirrors OpenSCAP/SCAP Security Guide content as minor
878 divergences, such as bugfixes, work through the consensus and
879 release processes.
880 DISA STIG for Red Hat Enterprise Linux 7
883 Profile ID: xccdf_org.ssgproject.content_profile_stig
885 This profile contains configuration checks that align to the
887 DISA STIG for Red Hat Enterprise Linux V1R4.
888 In addition to being applicable to RHEL7, DISA recognizes this
890 configuration baseline as applicable to the operating system
891 tier of Red Hat technologies that are based off RHEL7, such as:
892 - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux
894 Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red
895 Hat Storage
896 OSPP - Protection Profile for General Purpose Operating Systems v. 4.2
899 Profile ID: xccdf_org.ssgproject.content_profile_ospp42
901 This profile reflects mandatory configuration controls identi‐
903 fied in the NIAP Configuration Annex to the Protection Profile
904 for General Purpose Operating Systems (Protection Profile Ver‐
905 sion 4.2).
906 This Annex is consistent with CNSSI-1253, which requires US
908 National Security Systems to adhere to certain configuration
909 parameters. Accordingly, configuration guidance produced accord‐
910 ing to the requirements of this Annex is suitable for use in US
911 National Security Systems.
912 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
915 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
917 Ensures PCI-DSS v3.2.1 security configuration settings are
919 applied.
920 VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Enter‐
923 prise Linux Hypervisor (RHELH)
924 Profile ID: xccdf_org.ssgproject.content_profile_rhelh-vpp
926 This compliance profile reflects the core set of security
928 related configuration settings for deployment of Red Hat Enter‐
929 prise Linux Hypervisor (RHELH) 7.x into U.S. Defense, Intelli‐
930 gence, and Civilian agencies. Development partners and sponsors
931 include the U.S. National Institute of Standards and Technology
932 (NIST), U.S. Department of Defense, the National Security
933 Agency, and Red Hat.
934 This baseline implements configuration requirements from the
936 following sources:
937 - Committee on National Security Systems Instruction No. 1253
939 (CNSSI 1253) - NIST 800-53 control selections for MODERATE
940 impact systems (NIST 800-53) - U.S. Government Configuration
941 Baseline (USGCB) - NIAP Protection Profile for Virtualization
942 v1.0 (VPP v1.0)
943 For any differing configuration requirements, e.g. password
945 lengths, the stricter security setting was chosen. Security
946 Requirement Traceability Guides (RTMs) and sample System Secu‐
947 rity Configuration Guides are provided via the scap-security-
948 guide-docs package.
949 This profile reflects U.S. Government consensus content and is
951 developed through the ComplianceAsCode project, championed by
952 the National Security Agency. Except for differences in format‐
953 ting to accommodate publishing processes, this profile mirrors
954 ComplianceAsCode content as minor divergences, such as bugfixes,
955 work through the consensus and release processes.
956
962 Source Datastream: ssg-rhel8-ds.xml
963 The Guide to the Secure Configuration of Red Hat Enterprise Linux 8 is
965 broken into 'profiles', groupings of security settings that correlate
966 to a known policy. Available profiles are:
967 Health Insurance Portability and Accountability Act (HIPAA)
971 Profile ID: xccdf_org.ssgproject.content_profile_hipaa
973 The HIPAA Security Rule establishes U.S. national standards to
975 protect individuals’ electronic personal health information that
976 is created, received, used, or maintained by a covered entity.
977 The Security Rule requires appropriate administrative, physical
978 and technical safeguards to ensure the confidentiality,
979 integrity, and security of electronic protected health informa‐
980 tion.
981 This profile configures Red Hat Enterprise Linux 8 to the HIPAA
983 Security Rule identified for securing of electronic protected
984 health information.
985 Criminal Justice Information Services (CJIS) Security Policy
988 Profile ID: xccdf_org.ssgproject.content_profile_cjis
990 This profile is derived from FBI's CJIS v5.4 Security Policy. A
992 copy of this policy can be found at the CJIS Security Policy
993 Resource Center:
994 https://www.fbi.gov/services/cjis/cjis-security-policy-resource-
996 center
997 Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
1000 Profile ID: xccdf_org.ssgproject.content_profile_rht-ccp
1002 This profile contains the minimum security relevant configura‐
1004 tion settings recommended by Red Hat, Inc for Red Hat Enterprise
1005 Linux 8 instances deployed by Red Hat Certified Cloud Providers.
1006 Standard System Security Profile for Red Hat Enterprise Linux 8
1009 Profile ID: xccdf_org.ssgproject.content_profile_standard
1011 This profile contains rules to ensure standard security baseline
1013 of a Red Hat Enterprise Linux 8 system. Regardless of your sys‐
1014 tem's workload all of these checks should pass.
1015 Unclassified Information in Non-federal Information Systems and Organi‐
1018 zations (NIST 800-171)
1019 Profile ID: xccdf_org.ssgproject.content_profile_cui
1021 From NIST 800-171, Section 2.2: Security requirements for pro‐
1023 tecting the confidentiality of CUI in nonfederal information
1024 systems and organizations have a well-defined structure that
1025 consists of:
1026 (i) a basic security requirements section; (ii) a derived secu‐
1028 rity requirements section.
1029 The basic security requirements are obtained from FIPS Publica‐
1031 tion 200, which provides the high-level and fundamental security
1032 requirements for federal information and information systems.
1033 The derived security requirements, which supplement the basic
1034 security requirements, are taken from the security controls in
1035 NIST Special Publication 800-53.
1036 This profile configures Red Hat Enterprise Linux 8 to the NIST
1038 Special Publication 800-53 controls identified for securing Con‐
1039 trolled Unclassified Information (CUI)."
1040 Protection Profile for General Purpose Operating Systems
1043 Profile ID: xccdf_org.ssgproject.content_profile_ospp
1045 This profile reflects mandatory configuration controls identi‐
1047 fied in the NIAP Configuration Annex to the Protection Profile
1048 for General Purpose Operating Systems (Protection Profile Ver‐
1049 sion 4.2).
1050 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
1053 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
1055 Ensures PCI-DSS v3.2.1 security configuration settings are
1057 applied.
1058
1064 Source Datastream: ssg-rhosp13-ds.xml
1066 The Guide to the Secure Configuration of Red Hat OpenStack Platform 13
1068 is broken into 'profiles', groupings of security settings that corre‐
1069 late to a known policy. Available profiles are:
1070 RHOSP STIG
1074 Profile ID: xccdf_org.ssgproject.content_profile_stig
1076 Sample profile description.
1078
1084 Source Datastream: ssg-rhv4-ds.xml
1085 The Guide to the Secure Configuration of Red Hat Virtualization 4 is
1087 broken into 'profiles', groupings of security settings that correlate
1088 to a known policy. Available profiles are:
1089 VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Virtual‐
1093 ization Hypervisor (RHVH)
1094 Profile ID: xccdf_org.ssgproject.content_profile_rhvh-vpp
1096 This compliance profile reflects the core set of security
1098 related configuration settings for deployment of Red Hat Virtu‐
1099 alization Hypervisor (RHVH) 4.x into U.S. Defense, Intelligence,
1100 and Civilian agencies. Development partners and sponsors
1101 include the U.S. National Institute of Standards and Technology
1102 (NIST), U.S. Department of Defense, the National Security
1103 Agency, and Red Hat.
1104 This baseline implements configuration requirements from the
1106 following sources:
1107 - Committee on National Security Systems Instruction No. 1253
1109 (CNSSI 1253) - NIST 800-53 control selections for MODERATE
1110 impact systems (NIST 800-53) - U.S. Government Configuration
1111 Baseline (USGCB) - NIAP Protection Profile for Virtualization
1112 v1.0 (VPP v1.0)
1113 For any differing configuration requirements, e.g. password
1115 lengths, the stricter security setting was chosen. Security
1116 Requirement Traceability Guides (RTMs) and sample System Secu‐
1117 rity Configuration Guides are provided via the scap-security-
1118 guide-docs package.
1119 This profile reflects U.S. Government consensus content and is
1121 developed through the ComplianceAsCode project, championed by
1122 the National Security Agency. Except for differences in format‐
1123 ting to accommodate publishing processes, this profile mirrors
1124 ComplianceAsCode content as minor divergences, such as bugfixes,
1125 work through the consensus and release processes.
1126 [DRAFT] DISA STIG for Red Hat Virtualization Host (RHVH)
1129 Profile ID: xccdf_org.ssgproject.content_profile_rhvh-stig
1131 This *draft* profile contains configuration checks that align to
1133 the DISA STIG for Red Hat Virtualization Host (RHVH).
1134
1140 Source Datastream: ssg-sl6-ds.xml
1141 The Guide to the Secure Configuration of Red Hat Enterprise Linux 6 is
1143 broken into 'profiles', groupings of security settings that correlate
1144 to a known policy. Available profiles are:
1145 Standard System Security Profile for Red Hat Enterprise Linux 6
1149 Profile ID: xccdf_org.ssgproject.content_profile_standard
1151 This profile contains rules to ensure standard security baseline
1153 of a Red Hat Enterprise Linux 6 system. Regardless of your sys‐
1154 tem's workload all of these checks should pass.
1155 Desktop Baseline
1158 Profile ID: xccdf_org.ssgproject.content_profile_desktop
1160 This profile is for a desktop installation of Red Hat Enterprise
1162 Linux 6.
1163 Server Baseline
1166 Profile ID: xccdf_org.ssgproject.content_profile_server
1168 This profile is for Red Hat Enterprise Linux 6 acting as a
1170 server.
1171 PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 6
1174 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
1176 This is a *draft* profile for PCI-DSS v3.
1178
1184 Source Datastream: ssg-sl7-ds.xml
1185 The Guide to the Secure Configuration of Red Hat Enterprise Linux 7 is
1187 broken into 'profiles', groupings of security settings that correlate
1188 to a known policy. Available profiles are:
1189 Standard System Security Profile for Red Hat Enterprise Linux 7
1193 Profile ID: xccdf_org.ssgproject.content_profile_standard
1195 This profile contains rules to ensure standard security baseline
1197 of a Red Hat Enterprise Linux 7 system. Regardless of your sys‐
1198 tem's workload all of these checks should pass.
1199 PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
1202 Profile ID: xccdf_org.ssgproject.content_profile_pci-dss
1204 Ensures PCI-DSS v3.2.1 security configuration settings are
1206 applied.
1207
1213 Source Datastream: ssg-sle11-ds.xml
1214 The Guide to the Secure Configuration of SUSE Linux Enterprise 11 is
1216 broken into 'profiles', groupings of security settings that correlate
1217 to a known policy. Available profiles are:
1218 Standard System Security Profile for SUSE Linux Enterprise 11
1222 Profile ID: xccdf_org.ssgproject.content_profile_standard
1224 This profile contains rules to ensure standard security baseline
1226 of a SUSE Linux Enterprise 11 system. Regardless of your sys‐
1227 tem's workload all of these checks should pass.
1228 Server Baseline
1231 Profile ID: xccdf_org.ssgproject.content_profile_server
1233 This profile is for SUSE Enterprise Linux 11 acting as a server.
1235
1241 Source Datastream: ssg-sle12-ds.xml
1242 The Guide to the Secure Configuration of SUSE Linux Enterprise 12 is
1244 broken into 'profiles', groupings of security settings that correlate
1245 to a known policy. Available profiles are:
1246 Standard System Security Profile for SUSE Linux Enterprise 12
1250 Profile ID: xccdf_org.ssgproject.content_profile_standard
1252 This profile contains rules to ensure standard security baseline
1254 of a SUSE Linux Enterprise 12 system. Regardless of your sys‐
1255 tem's workload all of these checks should pass.
1256
1262 Source Datastream: ssg-ubuntu1404-ds.xml
1263 The Guide to the Secure Configuration of Ubuntu 14.04 is broken into
1265 'profiles', groupings of security settings that correlate to a known
1266 policy. Available profiles are:
1267 Standard System Security Profile for Ubuntu 14.04
1271 Profile ID: xccdf_org.ssgproject.content_profile_standard
1273 This profile contains rules to ensure standard security baseline
1275 of an Ubuntu 14.04 system. Regardless of your system's workload
1276 all of these checks should pass.
1277 Profile for ANSSI DAT-NT28 Restrictive Level
1280 Profile ID: xccdf_org.ssgproject.content_pro‐
1282 file_anssi_np_nt28_restrictive
1283 This profile contains items for GNU/Linux installations exposed
1285 to unauthenticated flows or multiple sources.
1286 Profile for ANSSI DAT-NT28 Minimal Level
1289 Profile ID: xccdf_org.ssgproject.content_pro‐
1291 file_anssi_np_nt28_minimal
1292 This profile contains items to be applied systematically.
1294 Profile for ANSSI DAT-NT28 High (Enforced) Level
1297 Profile ID: xccdf_org.ssgproject.content_pro‐
1299 file_anssi_np_nt28_high
1300 This profile contains items for GNU/Linux installations storing
1302 sensitive informations that can be accessible from unauthenti‐
1303 cated or uncontroled networks.
1304 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
1307 Profile ID: xccdf_org.ssgproject.content_pro‐
1309 file_anssi_np_nt28_average
1310 This profile contains items for GNU/Linux installations already
1312 protected by multiple higher level security stacks.
1313
1319 Source Datastream: ssg-ubuntu1604-ds.xml
1320 The Guide to the Secure Configuration of Ubuntu 16.04 is broken into
1322 'profiles', groupings of security settings that correlate to a known
1323 policy. Available profiles are:
1324 Standard System Security Profile for Ubuntu 16.04
1328 Profile ID: xccdf_org.ssgproject.content_profile_standard
1330 This profile contains rules to ensure standard security baseline
1332 of an Ubuntu 16.04 system. Regardless of your system's workload
1333 all of these checks should pass.
1334 Profile for ANSSI DAT-NT28 Restrictive Level
1337 Profile ID: xccdf_org.ssgproject.content_pro‐
1339 file_anssi_np_nt28_restrictive
1340 This profile contains items for GNU/Linux installations exposed
1342 to unauthenticated flows or multiple sources.
1343 Profile for ANSSI DAT-NT28 Minimal Level
1346 Profile ID: xccdf_org.ssgproject.content_pro‐
1348 file_anssi_np_nt28_minimal
1349 This profile contains items to be applied systematically.
1351 Profile for ANSSI DAT-NT28 High (Enforced) Level
1354 Profile ID: xccdf_org.ssgproject.content_pro‐
1356 file_anssi_np_nt28_high
1357 This profile contains items for GNU/Linux installations storing
1359 sensitive informations that can be accessible from unauthenti‐
1360 cated or uncontroled networks.
1361 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
1364 Profile ID: xccdf_org.ssgproject.content_pro‐
1366 file_anssi_np_nt28_average
1367 This profile contains items for GNU/Linux installations already
1369 protected by multiple higher level security stacks.
1370
1376 Source Datastream: ssg-ubuntu1804-ds.xml
1377 The Guide to the Secure Configuration of Ubuntu 18.04 is broken into
1379 'profiles', groupings of security settings that correlate to a known
1380 policy. Available profiles are:
1381 Standard System Security Profile for Ubuntu 18.04
1385 Profile ID: xccdf_org.ssgproject.content_profile_standard
1387 This profile contains rules to ensure standard security baseline
1389 of an Ubuntu 18.04 system. Regardless of your system's workload
1390 all of these checks should pass.
1391 Profile for ANSSI DAT-NT28 Restrictive Level
1394 Profile ID: xccdf_org.ssgproject.content_pro‐
1396 file_anssi_np_nt28_restrictive
1397 This profile contains items for GNU/Linux installations exposed
1399 to unauthenticated flows or multiple sources.
1400 Profile for ANSSI DAT-NT28 Minimal Level
1403 Profile ID: xccdf_org.ssgproject.content_pro‐
1405 file_anssi_np_nt28_minimal
1406 This profile contains items to be applied systematically.
1408 Profile for ANSSI DAT-NT28 High (Enforced) Level
1411 Profile ID: xccdf_org.ssgproject.content_pro‐
1413 file_anssi_np_nt28_high
1414 This profile contains items for GNU/Linux installations storing
1416 sensitive informations that can be accessible from unauthenti‐
1417 cated or uncontroled networks.
1418 Profile for ANSSI DAT-NT28 Average (Intermediate) Level
1421 Profile ID: xccdf_org.ssgproject.content_pro‐
1423 file_anssi_np_nt28_average
1424 This profile contains items for GNU/Linux installations already
1426 protected by multiple higher level security stacks.
1427
1433 Source Datastream: ssg-wrlinux-ds.xml
1434 The Guide to the Secure Configuration of WRLinux is broken into 'pro‐
1436 files', groupings of security settings that correlate to a known pol‐
1437 icy. Available profiles are:
1438 Basic Profile for Embedded Systems
1442 Profile ID: xccdf_org.ssgproject.content_profile_basic-embedded
1444 This profile contains items common to many embedded Linux
1446 installations. Regardless of your system's deployment objec‐
1447 tive, all of these checks should pass.
1448
1455 To scan your system utilizing the OpenSCAP utility against the ospp
1456 profile:
1457 oscap xccdf eval --profile ospp --results /tmp/`hostname`-ssg-
1459 results.xml --report /tmp/`hostname`-ssg-results.html --oval-results
1460 /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
1461 Additional details can be found on the projects wiki page:
1463 https://www.github.com/OpenSCAP/scap-security-guide/wiki
1464
1468 /usr/share/xml/scap/ssg/content
1469 Houses SCAP content utilizing the following naming conventions:
1470 SCAP Source Datastreams: ssg-{product}-ds.xml
1472 CPE Dictionaries: ssg-{product}-cpe-dictionary.xml
1474 CPE OVAL Content: ssg-{product}-cpe-oval.xml
1476 OVAL Content: ssg-{product}-oval.xml
1478 XCCDF Content: ssg-{product}-xccdf.xml
1480 /usr/share/doc/scap-security-guide/guides/
1482 HTML versions of SSG profiles.
1483 /usr/share/scap-security-guide/ansible/
1485 Contains Ansible Playbooks for SSG profiles.
1486 /usr/share/scap-security-guide/bash/
1488 Contains Bash remediation scripts for SSG profiles.
1489
1492 The SCAP Security Guide, an open source project jointly maintained by
1493 Red Hat and the NSA, provides XCCDF and OVAL content for Red Hat tech‐
1494 nologies. As an open source project, community participation extends
1495 into U.S. Department of Defense agencies, civilian agencies, academia,
1496 and other industrial partners.
1497 SCAP Security Guide is provided to consumers through Red Hat's Extended
1499 Packages for Enterprise Linux (EPEL) repository. As such, SCAP Security
1500 Guide content is considered "vendor provided."
1501 Note that while Red Hat hosts the infrastructure for this project and
1503 Red Hat engineers are involved as maintainers and leaders, there is no
1504 commercial support contracts or service level agreements provided by
1505 Red Hat.
1506 Support, for both users and developers, is provided through the SCAP
1508 Security Guide community.
1509 Homepage: https://www.open-scap.org/security-policies/scap-security-
1511 guide
1512 Mailing List: https://lists.fedorahosted.org/mailman/listinfo/scap-
1514 security-guide
1515
1519 SCAP Security Guide content is considered vendor (Red Hat) provided
1520 content. Per guidance from the U.S. National Institute of Standards
1521 and Technology (NIST), U.S. Government programs are allowed to use Ven‐
1522 dor produced SCAP content in absence of "Governmental Authority" check‐
1523 lists. The specific NIST verbage:
1524 http://web.nvd.nist.gov/view/ncp/repository/glossary?cid=1#Authority
1525
1529 DoD Directive (DoDD) 8500.1 requires that "all IA and IA-enabled IT
1530 products incorporated into DoD information systems shall be configured
1531 in accordance with DoD-approved security configuration guidelines" and
1532 tasks Defense Information Systems Agency (DISA) to "develop and provide
1533 security configuration guidance for IA and IA-enabled IT products in
1534 coordination with Director, NSA." The output of this authority is the
1535 DISA Security Technical Implementation Guides, or STIGs. DISA FSO is in
1536 the process of moving the STIGs towards the use of the NIST Security
1537 Content Automation Protocol (SCAP) in order to "automate" compliance
1538 reporting of the STIGs.
1539 Through a common, shared vision, the SCAP Security Guide community
1541 enjoys close collaboration directly with NSA, NIST, and DISA FSO. As
1542 stated in Section 1.1 of the Red Hat Enterprise Linux 6 STIG Overview,
1543 Version 1, Release 2, issued on 03-JUNE-2013:
1544 "The consensus content was developed using an open-source project
1546 called SCAP Security Guide. The project's website is https://www.open-
1547 scap.org/security-policies/scap-security-guide. Except for differences
1548 in formatting to accomodate the DISA STIG publishing process, the con‐
1549 tent of the Red Hat Enterprise Linux 6 STIG should mirrot the SCAP
1550 Security Guide content with only minor divergence as updates from mul‐
1551 tiple sources work through the concensus process."
1552 The DoD STIG for Red Hat Enterprise Linux 6 was released June 2013.
1554 Currently, the DoD Red Hat Enterprise Linux 6 STIG contains only XCCDF
1555 content and is available online: http://iase.disa.mil/stigs/os/unix-
1556 linux/Pages/red-hat.aspx
1557 Content published against the iase.disa.mil website is authoritative
1559 STIG content. The SCAP Security Guide project, as noted in the STIG
1560 overview, is considered upstream content. Unlike DISA FSO, the SCAP
1561 Security Guide project does publish OVAL automation content. Individual
1562 programs and C&A evaluators make program-level determinations on the
1563 direct usage of the SCAP Security Guide. Currently there is no blanket
1564 approval.
1565
1569 oscap(8)
1570
1574 Please direct all questions to the SSG mailing list:
1575 https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
1576version 1 26 Jan 2013 scap-security-guide(8)